Data protection in Austria: first warning and then fine?

The General Data Protection Regulation (GDPR) basically keeps the choice of sanction options open. It is not mandatory which data protection violation must be punished by the supervisory authorities with which type of sanction. Rather, a comprehensive catalog of sanctions is available to the supervisory authorities. This enables an effective and in individual cases appropriate reaction to a violation of the provisions of the GDPR.

The GDPR is intended to ensure uniform application across Europe and effective implementation of data protection regulations. That is why there is no individual regulation by the individual member states in this area, e.g. through an opening clause.

Section 11 of the Austrian Data Protection Act now states that the Austrian supervisory authority should be bound when selecting a sanction to the extent that a data protection warning must be issued if the provisions of the GDPR are violated for the first time. In this way the Austrian legislature probably wanted to protect the domestic economy from excessive financial burdens.

In its current newsletter (issue 2/2020), the Austrian supervisory authority now makes it clear that the entire catalog of sanctions of the GDPR may also be applied in Austria in the event of a first-time violation.

The background to this is that the nation states do not have an opening clause available to guide the selection of an appropriate sanction by the supervisory authorities in a way that deviates from the provisions of the GDPR. As a result, § 11 DSG violates the GDPR and is not applicable due to the priority of application of European laws.

The clarification from the Austrian supervisory authority is expressly to be welcomed. This makes it clear once again that the member states cannot relax the basic provisions of the GDPR in national data protection laws.

Keeping an eye on the constantly changing data protection framework and interpreting it correctly at all times is a challenge for many companies. We would be happy to provide you with an external data protection officer for your company or advise you on a fee basis. Our team, consisting of lawyers, data protection and IT security officers, will be happy to help you. Call us on 08505 919 27-0 or fill out our contact form. We are happy to help!